A 5 year old can discern that identical 1/2 full glasses have the same amount of fluid in them. But this becomes harder even for adults if we vary height and width and nearly impossible if we vary shape. What's more interesting is that the child believes that a taller and skinnier glass has more in it even if she saw you pour it from one of the original glasses - their immature reasoning only considers the depth of the water.
Similarly, traditional cyber controls might have been effective in a simple digital world of the past, but they are have no hope or making the right decisions to allow or prevent in the any relationship (employee, customer, partner, all-of-these), any device, any “thing” (humans, machines, micro-services), any network at any time from any place in our digitally transformed world.
What we need are risk based systems that reason across all of these dimensions. In practical terms, that means rethinking and rebuilding controls to collect and decision in real-time with the vast information that we have already from asset management systems, MDM, identity stores, and certificate management systems.
